42.9. IPTables

42.9. IPTables

42.9. IPTables

Included with Red Hat Enterprise Linux are advanced tools for network packet filtering — the process of controlling network packets as they enter, move through, and exit the network stack within the kernel. Kernel versions prior to 2.4 relied on ipchains for packet filtering and used lists of rules applied to packets at each step of the filtering process. The 2.4 kernel introduced iptables (also called netfilter), which is similar to ipchains but greatly expands the scope and control available for filtering network packets.

This chapter focuses on packet filtering basics, defines the differences between ipchains and iptables, explains various options available with iptables commands, and explains how filtering rules can be preserved between system reboots.

Refer to Section 42.9.7, “Additional Resources” for instructions on how to construct iptables rules and setting up a firewall based on these rules.

Warning

The default firewall mechanism in the 2.4 and later kernels is iptables, but iptables cannot be used if ipchains is already running. If ipchains is present at boot time, the kernel issues an error and fails to start iptables.

The functionality of ipchains is not affected by these errors.

42.9.1. Packet Filtering

The Linux kernel uses the Netfilter facility to filter packets, allowing some of them to be received by or pass through the system while stopping others. This facility is built in to the Linux kernel, and has three built-in tables or rules lists, as follows:

  • filter — The default table for handling network packets.

  • nat — Used to alter packets that create a new connection and used for Network Address Translation (NAT).

  • mangle — Used for specific types of packet alteration.

Each table has a group of built-in chains, which correspond to the actions performed on the packet by netfilter.

The built-in chains for the filter table are as follows:

  • INPUT — Applies to network packets that are targeted for the host.

  • OUTPUT — Applies to locally-generated network packets.

  • FORWARD — Applies to network packets routed through the host.

The built-in chains for the nat table are as follows:

  • PREROUTING — Alters network packets when they arrive.

  • OUTPUT — Alters locally-generated network packets before they are sent out.

  • POSTROUTING — Alters network packets before they are sent out.

The built-in chains for the mangle table are as follows:

  • INPUT — Alters network packets targeted for the host.

  • OUTPUT — Alters locally-generated network packets before they are sent out.

  • FORWARD — Alters network packets routed through the host.

  • PREROUTING — Alters incoming network packets before they are routed.

  • POSTROUTING — Alters network packets before they are sent out.

Every network packet received by or sent from a Linux system is subject to at least one table. However, a packet may be subjected to multiple rules within each table before emerging at the end of the chain. The structure and purpose of these rules may vary, but they usually seek to identify a packet coming from or going to a particular IP address, or set of addresses, when using a particular protocol and network service.

Note

By default, firewall rules are saved in the /etc/sysconfig/iptables or /etc/sysconfig/ip6tables files.

The iptables service starts before any DNS-related services when a Linux system is booted. This means that firewall rules can only reference numeric IP addresses (for example, 192.168.0.1). Domain names (for example, host.example.com) in such rules produce errors.

Regardless of their destination, when packets match a particular rule in one of the tables, a target or action is applied to them. If the rule specifies an ACCEPT target for a matching packet, the packet skips the rest of the rule checks and is allowed to continue to its destination. If a rule specifies a DROP target, that packet is refused access to the system and nothing is sent back to the host that sent the packet. If a rule specifies a QUEUE target, the packet is passed to user-space. If a rule specifies the optional REJECT target, the packet is dropped, but an error packet is sent to the packet's originator.

Every chain has a default policy to ACCEPT, DROP, REJECT, or QUEUE. If none of the rules in the chain apply to the packet, then the packet is dealt with in accordance with the default policy.

The iptables command configures these tables, as well as sets up new tables if necessary.

42.9.2. Differences Between IPTables and IPChains

Both ipchains and iptables use chains of rules that operate within the Linux kernel to filter packets based on matches with specified rules or rule sets. However, iptables offers a more extensible way of filtering packets, giving the administrator greater control without building undue complexity into the system.

You should be aware of the following significant differences between ipchains and iptables:

Using iptables, each filtered packet is processed using rules from only one chain rather than multiple chains.

For example, a FORWARD packet coming into a system using ipchains would have to go through the INPUT, FORWARD, and OUTPUT chains to continue to its destination. However, iptables only sends packets to the INPUT chain if they are destined for the local system, and only sends them to the OUTPUT chain if the local system generated the packets. It is therefore important to place the rule designed to catch a particular packet within the chain that actually handles the packet.

The DENY target has been changed to DROP.

In ipchains, packets that matched a rule in a chain could be directed to the DENY target. This target must be changed to DROP in iptables.

Order matters when placing options in a rule.

In ipchains, the order of the rule options does not matter.

The iptables command has a stricter syntax. The iptables command requires that the protocol (ICMP, TCP, or UDP) be specified before the source or destination ports.

Network interfaces must be associated with the correct chains in firewall rules.

For example, incoming interfaces (-i option) can only be used in INPUT or FORWARD chains. Similarly, outgoing interfaces (-o option) can only be used in FORWARD or OUTPUT chains.

In other words, INPUT chains and incoming interfaces work together; OUTPUT chains and outgoing interfaces work together. FORWARD chains work with both incoming and outgoing interfaces.

OUTPUT chains are no longer used by incoming interfaces, and INPUT chains are not seen by packets moving through outgoing interfaces.

This is not a comprehensive list of the changes. Refer to Section 42.9.7, “Additional Resources” for more specific information.

42.9.3. Command Options for IPTables

Rules for filtering packets are created using the iptables command. The following aspects of the packet are most often used as criteria:

  • Packet Type — Specifies the type of packets the command filters.

  • Packet Source/Destination — Specifies which packets the command filters based on the source or destination of the packet.

  • Target — Specifies what action is taken on packets matching the above criteria.

Refer to Section 42.9.3.4, “IPTables Match Options” and Section 42.9.3.5, “Target Options” for more information about specific options that address these aspects of a packet.

The options used with specific iptables rules must be grouped logically, based on the purpose and conditions of the overall rule, for the rule to be valid. The remainder of this section explains commonly-used options for the iptables command.

42.9.3.1. Structure of IPTables Command Options

Many iptables commands have the following structure:


iptables [-t <table-name>] <command> <chain-name> \
			<parameter-1> <option-1> \
			<parameter-n> <option-n>

<table-name> — Specifies which table the rule applies to. If omitted, the filter table is used.

<command> — Specifies the action to perform, such as appending or deleting a rule.

<chain-name> — Specifies the chain to edit, create, or delete.

<parameter>-<option> pairs — Parameters and associated options that specify how to process a packet that matches the rule.

The length and complexity of an iptables command can change significantly, based on its purpose.

For example, a command to remove a rule from a chain can be very short:

iptables -D <chain-name> <line-number>

In contrast, a command that adds a rule which filters packets from a particular subnet using a variety of specific parameters and options can be rather long. When constructing iptables commands, it is important to remember that some parameters and options require further parameters and options to construct a valid rule. This can produce a cascading effect, with the further parameters requiring yet more parameters. Until every parameter and option that requires another set of options is satisfied, the rule is not valid.

Type iptables -h to view a comprehensive list of iptables command structures.

42.9.3.2. Command Options

Command options instruct iptables to perform a specific action. Only one command option is allowed per iptables command. With the exception of the help command, all commands are written in upper-case characters.

The iptables commands are as follows:

  • -A — Appends the rule to the end of the specified chain. Unlike the -I option described below, it does not take an integer argument. It always appends the rule to the end of the specified chain.

  • -C — Checks a particular rule before adding it to the user-specified chain. This command can help you construct complex iptables rules by prompting you for additional parameters and options.

  • -D <integer> | <rule> — Deletes a rule in a particular chain by number (such as 5 for the fifth rule in a chain), or by rule specification. The rule specification must exactly match an existing rule.

  • -E — Renames a user-defined chain. A user-defined chain is any chain other than the default, pre-existing chains. (Refer to the -N option, below, for information on creating user-defined chains.) This is a cosmetic change and does not affect the structure of the table.

    Note

    If you attempt to rename one of the default chains, the system reports a Match not found error. You cannot rename the default chains.

  • -F — Flushes the selected chain, which effectively deletes every rule in the chain. If no chain is specified, this command flushes every rule from every chain.

  • -h — Provides a list of command structures, as well as a quick summary of command parameters and options.

  • -I [<integer>] — Inserts the rule in the specified chain at a point specified by a user-defined integer argument. If no argument is specified, the rule is inserted at the top of the chain.

    Caution

    As noted above, the order of rules in a chain determines which rules apply to which packets. This is important to remember when adding rules using either the -A or -I option.

    This is especially important when adding rules using the -I with an integer argument. If you specify an existing number when adding a rule to a chain, iptables adds the new rule before (or above) the existing rule.

  • -L — Lists all of the rules in the chain specified after the command. To list all rules in all chains in the default filter table, do not specify a chain or table. Otherwise, the following syntax should be used to list the rules in a specific chain in a particular table:

    
    iptables -L <chain-name> -t <table-name>
    
    

    Additional options for the -L command option, which provide rule numbers and allow more verbose rule descriptions, are described in Section 42.9.3.6, “Listing Options”.

  • -N — Creates a new chain with a user-specified name. The chain name must be unique, otherwise an error message is displayed.

  • -P — Sets the default policy for the specified chain, so that when packets traverse an entire chain without matching a rule, they are sent to the specified target, such as ACCEPT or DROP.

  • -R — Replaces a rule in the specified chain. The rule's number must be specified after the chain's name. The first rule in a chain corresponds to rule number one.

  • -X — Deletes a user-specified chain. You cannot delete a built-in chain.

  • -Z — Sets the byte and packet counters in all chains for a table to zero.

42.9.3.3. IPTables Parameter Options

Certain iptables commands, including those used to add, append, delete, insert, or replace rules within a particular chain, require various parameters to construct a packet filtering rule.

  • -c — Resets the counters for a particular rule. This parameter accepts the PKTS and BYTES options to specify which counter to reset.

  • -d — Sets the destination hostname, IP address, or network of a packet that matches the rule. When matching a network, the following IP address/netmask formats are supported:

    • N.N.N.N/M.M.M.M — Where N.N.N.N is the IP address range and M.M.M.M is the netmask.

    • N.N.N.N/M — Where N.N.N.N is the IP address range and M is the bitmask.

  • -f — Applies this rule only to fragmented packets.

    You can use the exclamation point character (!) option after this parameter to specify that only unfragmented packets are matched.

    Note

    Distinguishing between fragmented and unfragmented packets is desirable, despite fragmented packets being a standard part of the IP protocol.

    Originally designed to allow IP packets to travel over networks with differing frame sizes, these days fragmentation is more commonly used to generate DoS attacks using mal-formed packets. It's also worth noting that IPv6 disallows fragmentation entirely.

  • -i — Sets the incoming network interface, such as eth0 or ppp0. With iptables, this optional parameter may only be used with the INPUT and FORWARD chains when used with the filter table and the PREROUTING chain with the nat and mangle tables.

    This parameter also supports the following special options:

    • Exclamation point character (!) — Reverses the directive, meaning any specified interfaces are excluded from this rule.

    • Plus character (+) — A wildcard character used to match all interfaces that match the specified string. For example, the parameter -i eth+ would apply this rule to any Ethernet interfaces but exclude any other interfaces, such as ppp0.

    If the -i parameter is used but no interface is specified, then every interface is affected by the rule.

  • -j — Jumps to the specified target when a packet matches a particular rule.

    The standard targets are ACCEPT, DROP, QUEUE, and RETURN.

    Extended options are also available through modules loaded by default with the Red Hat Enterprise Linux iptables RPM package. Valid targets in these modules include LOG, MARK, and REJECT, among others. Refer to the iptables man page for more information about these and other targets.

    This option can also be used to direct a packet matching a particular rule to a user-defined chain outside of the current chain so that other rules can be applied to the packet.

    If no target is specified, the packet moves past the rule with no action taken. The counter for this rule, however, increases by one.

  • -o — Sets the outgoing network interface for a rule. This option is only valid for the OUTPUT and FORWARD chains in the filter table, and the POSTROUTING chain in the nat and mangle tables. This parameter accepts the same options as the incoming network interface parameter (-i).

  • -p <protocol> — Sets the IP protocol affected by the rule. This can be either icmp, tcp, udp, or all, or it can be a numeric value, representing one of these or a different protocol. You can also use any protocols listed in the /etc/protocols file.

    The "all" protocol means the rule applies to every supported protocol. If no protocol is listed with this rule, it defaults to "all".

  • -s — Sets the source for a particular packet using the same syntax as the destination (-d) parameter.

42.9.3.4. IPTables Match Options

Different network protocols provide specialized matching options which can be configured to match a particular packet using that protocol. However, the protocol must first be specified in the iptables command. For example, -p <protocol-name> enables options for the specified protocol. Note that you can also use the protocol ID, instead of the protocol name. Refer to the following examples, each of which have the same effect:


iptables -A INPUT -p icmp --icmp-type any -j ACCEPT


iptables -A INPUT -p 5813 --icmp-type any -j ACCEPT

Service definitions are provided in the /etc/services file. For readability, it is recommended that you use the service names rather than the port numbers.

Important

Secure the /etc/services file to prevent unauthorized editing. If this file is editable, crackers can use it to enable ports on your machine you have otherwise closed. To secure this file, type the following commands as root:


[root@myServer ~]# chown root.root /etc/services
[root@myServer ~]# chmod 0644 /etc/services
[root@myServer ~]# chattr +i /etc/services

This prevents the file from being renamed, deleted or having links made to it.

42.9.3.4.1. TCP Protocol

These match options are available for the TCP protocol (-p tcp):

  • --dport — Sets the destination port for the packet.

    To configure this option, use a network service name (such as www or smtp); a port number; or a range of port numbers.

    To specify a range of port numbers, separate the two numbers with a colon (:). For example: -p tcp --dport 3000:3200. The largest acceptable valid range is 0:65535.

    Use an exclamation point character (!) after the --dport option to match all packets that do not use that network service or port.

    To browse the names and aliases of network services and the port numbers they use, view the /etc/services file.

    The --destination-port match option is synonymous with --dport.

  • --sport — Sets the source port of the packet using the same options as --dport. The --source-port match option is synonymous with --sport.

  • --syn — Applies to all TCP packets designed to initiate communication, commonly called SYN packets. Any packets that carry a data payload are not touched.

    Use an exclamation point character (!) after the --syn option to match all non-SYN packets.

  • --tcp-flags <tested flag list> <set flag list> — Allows TCP packets that have specific bits (flags) set, to match a rule.

    The --tcp-flags match option accepts two parameters. The first parameter is the mask; a comma-separated list of flags to be examined in the packet. The second parameter is a comma-separated list of flags that must be set for the rule to match.

    The possible flags are:

    • ACK

    • FIN

    • PSH

    • RST

    • SYN

    • URG

    • ALL

    • NONE

    For example, an iptables rule that contains the following specification only matches TCP packets that have the SYN flag set and the ACK and FIN flags not set:

    --tcp-flags ACK,FIN,SYN SYN

    Use the exclamation point character (!) after the --tcp-flags to reverse the effect of the match option.

  • --tcp-option — Attempts to match with TCP-specific options that can be set within a particular packet. This match option can also be reversed with the exclamation point character (!).

42.9.3.4.2. UDP Protocol

These match options are available for the UDP protocol (-p udp):

  • --dport — Specifies the destination port of the UDP packet, using the service name, port number, or range of port numbers. The --destination-port match option is synonymous with --dport.

  • --sport — Specifies the source port of the UDP packet, using the service name, port number, or range of port numbers. The --source-port match option is synonymous with --sport.

For the --dport and --sport options, to specify a range of port numbers, separate the two numbers with a colon (:). For example: -p tcp --dport 3000:3200. The largest acceptable valid range is 0:65535.

42.9.3.4.3. ICMP Protocol

The following match options are available for the Internet Control Message Protocol (ICMP) (-p icmp):

  • --icmp-type — Sets the name or number of the ICMP type to match with the rule. A list of valid ICMP names can be retrieved by typing the iptables -p icmp -h command.

42.9.3.4.4. Additional Match Option Modules

Additional match options are available through modules loaded by the iptables command.

To use a match option module, load the module by name using the -m <module-name>, where <module-name> is the name of the module.

Many modules are available by default. You can also create modules to provide additional functionality.

The following is a partial list of the most commonly used modules:

  • limit module — Places limits on how many packets are matched to a particular rule.

    When used in conjunction with the LOG target, the limit module can prevent a flood of matching packets from filling up the system log with repetitive messages or using up system resources.

    Refer to Section 42.9.3.5, “Target Options” for more information about the LOG target.

    The limit module enables the following options:

    • --limit — Sets the maximum number of matches for a particular time period, specified as a <value>/<period> pair. For example, using --limit 5/hour allows five rule matches per hour.

      Periods can be specified in seconds, minutes, hours, or days.

      If a number and time modifier are not used, the default value of 3/hour is assumed.

    • --limit-burst — Sets a limit on the number of packets able to match a rule at one time.

      This option is specified as an integer and should be used in conjunction with the --limit option.

      If no value is specified, the default value of five (5) is assumed.

  • state module — Enables state matching.

    The state module enables the following options:

    • --state — match a packet with the following connection states:

      • ESTABLISHED — The matching packet is associated with other packets in an established connection. You need to accept this state if you want to maintain a connection between a client and a server.

      • INVALID — The matching packet cannot be tied to a known connection.

      • NEW — The matching packet is either creating a new connection or is part of a two-way connection not previously seen. You need to accept this state if you want to allow new connections to a service.

      • RELATED — The matching packet is starting a new connection related in some way to an existing connection. An example of this is FTP, which uses one connection for control traffic (port 21), and a separate connection for data transfer (port 20).

      These connection states can be used in combination with one another by separating them with commas, such as -m state --state INVALID,NEW.

  • mac module — Enables hardware MAC address matching.

    The mac module enables the following option:

    • --mac-source — Matches a MAC address of the network interface card that sent the packet. To exclude a MAC address from a rule, place an exclamation point character (!) after the --mac-source match option.

Refer to the iptables man page for more match options available through modules.

42.9.3.5. Target Options

When a packet has matched a particular rule, the rule can direct the packet to a number of different targets which determine the appropriate action. Each chain has a default target, which is used if none of the rules on that chain match a packet or if none of the rules which match the packet specify a target.

The following are the standard targets:

  • <user-defined-chain> — A user-defined chain within the table. User-defined chain names must be unique. This target passes the packet to the specified chain.

  • ACCEPT — Allows the packet through to its destination or to another chain.

  • DROP — Drops the packet without responding to the requester. The system that sent the packet is not notified of the failure.

  • QUEUE — The packet is queued for handling by a user-space application.

  • RETURN — Stops checking the packet against rules in the current chain. If the packet with a RETURN target matches a rule in a chain called from another chain, the packet is returned to the first chain to resume rule checking where it left off. If the RETURN rule is used on a built-in chain and the packet cannot move up to its previous chain, the default target for the current chain is used.

In addition, extensions are available which allow other targets to be specified. These extensions are called target modules or match option modules and most only apply to specific tables and situations. Refer to Section 42.9.3.4.4, “Additional Match Option Modules” for more information about match option modules.

Many extended target modules exist, most of which only apply to specific tables or situations. Some of the most popular target modules included by default in Red Hat Enterprise Linux are:

  • LOG — Logs all packets that match this rule. Because the packets are logged by the kernel, the /etc/syslog.conf file determines where these log entries are written. By default, they are placed in the /var/log/messages file.

    Additional options can be used after the LOG target to specify the way in which logging occurs:

    • --log-level — Sets the priority level of a logging event. Refer to the syslog.conf man page for a list of priority levels.

    • --log-ip-options — Logs any options set in the header of an IP packet.

    • --log-prefix — Places a string of up to 29 characters before the log line when it is written. This is useful for writing syslog filters for use in conjunction with packet logging.

      Note

      Due to an issue with this option, you should add a trailing space to the log-prefix value.

    • --log-tcp-options — Logs any options set in the header of a TCP packet.

    • --log-tcp-sequence — Writes the TCP sequence number for the packet in the log.

  • REJECT — Sends an error packet back to the remote system and drops the packet.

    The REJECT target accepts --reject-with <type> (where <type> is the rejection type) allowing more detailed information to be returned with the error packet. The message port-unreachable is the default error type given if no other option is used. Refer to the iptables man page for a full list of <type> options.

Other target extensions, including several that are useful for IP masquerading using the nat table, or with packet alteration using the mangle table, can be found in the iptables man page.

42.9.3.6. Listing Options

The default list command, iptables -L [<chain-name>], provides a very basic overview of the default filter table's current chains. Additional options provide more information:

  • -v — Displays verbose output, such as the number of packets and bytes each chain has processed, the number of packets and bytes each rule has matched, and which interfaces apply to a particular rule.

  • -x — Expands numbers into their exact values. On a busy system, the number of packets and bytes processed by a particular chain or rule may be abbreviated to Kilobytes, Megabytes (Megabytes) or Gigabytes. This option forces the full number to be displayed.

  • -n — Displays IP addresses and port numbers in numeric format, rather than the default hostname and network service format.

  • --line-numbers — Lists rules in each chain next to their numeric order in the chain. This option is useful when attempting to delete the specific rule in a chain or to locate where to insert a rule within a chain.

  • -t <table-name> — Specifies a table name. If omitted, defaults to the filter table.

The following examples illustrate the use of several of these options. Note the difference in the byte display by including the -x option.


[root@myserver ~]# iptables -L OUTPUT -v -n -x
Chain OUTPUT (policy ACCEPT 64005 packets, 6445791 bytes)
    pkts      bytes target     prot opt in     out     source               destination
    1593   133812 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
    
[root@myserver ~]#iptables -L OUTPUT -v -n
Chain OUTPUT (policy ACCEPT 64783 packets, 6492K bytes)
    pkts bytes target     prot opt in     out     source               destination
    1819  153K ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
[root@myserver ~]#

42.9.4. Saving IPTables Rules

Rules created with the iptables command are stored in memory. If the system is restarted before saving the iptables rule set, all rules are lost. For netfilter rules to persist through a system reboot, they need to be saved. To save netfilter rules, type the following command as root:


/sbin/service iptables save

This executes the iptables init script, which runs the /sbin/iptables-save program and writes the current iptables configuration to /etc/sysconfig/iptables. The existing /etc/sysconfig/iptables file is saved as /etc/sysconfig/iptables.save.

The next time the system boots, the iptables init script reapplies the rules saved in /etc/sysconfig/iptables by using the /sbin/iptables-restore command.

While it is always a good idea to test a new iptables rule before committing it to the /etc/sysconfig/iptables file, it is possible to copy iptables rules into this file from another system's version of this file. This provides a quick way to distribute sets of iptables rules to multiple machines.

You can also save the iptables rules to a separate file for distribution, backup or other purposes. To save your iptables rules, type the following command as root:


[root@myserver ~]# iptables-save > <filename>

where <filename> is a user-defined name for your ruleset.

Important

If distributing the /etc/sysconfig/iptables file to other machines, type /sbin/service iptables restart for the new rules to take effect.

Note

Note the difference between the iptables command (/sbin/iptables), which is used to manipulate the tables and chains that constitute the iptables functionality, and the iptables service (/sbin/iptables service), which is used to enable and disable the iptables service itself.

42.9.5. IPTables Control Scripts

There are two basic methods for controlling iptables in Red Hat Enterprise Linux:

  • Security Level Configuration Tool (system-config-selinux) — A graphical interface for creating, activating, and saving basic firewall rules. Refer to Section 42.8.2, “Basic Firewall Configuration” for more information.

  • /sbin/service iptables <option> — Used to manipulate various functions of iptables using its initscript. The following options are available:

    • start — If a firewall is configured (that is, /etc/sysconfig/iptables exists), all running iptables are stopped completely and then started using the /sbin/iptables-restore command. This option only works if the ipchains kernel module is not loaded. To check if this module is loaded, type the following command as root:

      
      [root@MyServer ~]# lsmod | grep ipchains
      
      

      If this command returns no output, it means the module is not loaded. If necessary, use the /sbin/rmmod command to remove the module.

    • stop — If a firewall is running, the firewall rules in memory are flushed, and all iptables modules and helpers are unloaded.

      If the IPTABLES_SAVE_ON_STOP directive in the /etc/sysconfig/iptables-config configuration file is changed from its default value to yes, current rules are saved to /etc/sysconfig/iptables and any existing rules are moved to the file /etc/sysconfig/iptables.save.

      Refer to Section 42.9.5.1, “IPTables Control Scripts Configuration File” for more information about the iptables-config file.

    • restart — If a firewall is running, the firewall rules in memory are flushed, and the firewall is started again if it is configured in /etc/sysconfig/iptables. This option only works if the ipchains kernel module is not loaded.

      If the IPTABLES_SAVE_ON_RESTART directive in the /etc/sysconfig/iptables-config configuration file is changed from its default value to yes, current rules are saved to /etc/sysconfig/iptables and any existing rules are moved to the file /etc/sysconfig/iptables.save.

      Refer to Section 42.9.5.1, “IPTables Control Scripts Configuration File” for more information about the iptables-config file.

    • status — Displays the status of the firewall and lists all active rules.

      The default configuration for this option displays IP addresses in each rule. To display domain and hostname information, edit the /etc/sysconfig/iptables-config file and change the value of IPTABLES_STATUS_NUMERIC to no. Refer to Section 42.9.5.1, “IPTables Control Scripts Configuration File” for more information about the iptables-config file.

    • panic — Flushes all firewall rules. The policy of all configured tables is set to DROP.

      This option could be useful if a server is known to be compromised. Rather than physically disconnecting from the network or shutting down the system, you can use this option to stop all further network traffic but leave the machine in a state ready for analysis or other forensics.

    • save — Saves firewall rules to /etc/sysconfig/iptables using iptables-save. Refer to Section 42.9.4, “Saving IPTables Rules” for more information.

Tip

To use the same initscript commands to control netfilter for IPv6, substitute ip6tables for iptables in the /sbin/service commands listed in this section. For more information about IPv6 and netfilter, refer to Section 42.9.6, “IPTables and IPv6”.

42.9.5.1. IPTables Control Scripts Configuration File

The behavior of the iptables initscripts is controlled by the /etc/sysconfig/iptables-config configuration file. The following is a list of directives contained in this file:

  • IPTABLES_MODULES — Specifies a space-separated list of additional iptables modules to load when a firewall is activated. These can include connection tracking and NAT helpers.

  • IPTABLES_MODULES_UNLOAD — Unloads modules on restart and stop. This directive accepts the following values:

    • yes — The default value. This option must be set to achieve a correct state for a firewall restart or stop.

    • no — This option should only be set if there are problems unloading the netfilter modules.

  • IPTABLES_SAVE_ON_STOP — Saves current firewall rules to /etc/sysconfig/iptables when the firewall is stopped. This directive accepts the following values:

    • yes — Saves existing rules to /etc/sysconfig/iptables when the firewall is stopped, moving the previous version to the /etc/sysconfig/iptables.save file.

    • no — The default value. Does not save existing rules when the firewall is stopped.

  • IPTABLES_SAVE_ON_RESTART — Saves current firewall rules when the firewall is restarted. This directive accepts the following values:

    • yes — Saves existing rules to /etc/sysconfig/iptables when the firewall is restarted, moving the previous version to the /etc/sysconfig/iptables.save file.

    • no — The default value. Does not save existing rules when the firewall is restarted.

  • IPTABLES_SAVE_COUNTER — Saves and restores all packet and byte counters in all chains and rules. This directive accepts the following values:

    • yes — Saves the counter values.

    • no — The default value. Does not save the counter values.

  • IPTABLES_STATUS_NUMERIC — Outputs IP addresses in numeric form instead of domain or hostnames. This directive accepts the following values:

    • yes — The default value. Returns only IP addresses within a status output.

    • no — Returns domain or hostnames within a status output.

42.9.6. IPTables and IPv6

If the iptables-ipv6 package is installed, netfilter in Red Hat Enterprise Linux can filter the next-generation IPv6 Internet protocol. The command used to manipulate the IPv6 netfilter is ip6tables.

Most directives for this command are identical to those used for iptables, except the nat table is not yet supported. This means that it is not yet possible to perform IPv6 network address translation tasks, such as masquerading and port forwarding.

Rules for ip6tables are saved in the /etc/sysconfig/ip6tables file. Previous rules saved by the ip6tables initscripts are saved in the /etc/sysconfig/ip6tables.save file.

Configuration options for the ip6tables init script are stored in /etc/sysconfig/ip6tables-config, and the names for each directive vary slightly from their iptables counterparts.

For example, the iptables-config directive IPTABLES_MODULES:the equivalent in the ip6tables-config file is IP6TABLES_MODULES.

42.9.7. Additional Resources

Refer to the following sources for additional information on packet filtering with iptables.

  • Section 42.8, “Firewalls” — Contains a chapter about the role of firewalls within an overall security strategy as well as strategies for constructing firewall rules.

42.9.7.1. Installed Documentation

  • man iptables — Contains a description of iptables as well as a comprehensive list of targets, options, and match extensions.

42.9.7.2. Useful Websites